From nobody Mon May 25 04:35:16 2026 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B51D3380FFE for ; Mon, 18 May 2026 20:35:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779136523; cv=none; b=YP/45Kz8vlmDOIlL7mIBIMoKfWnX2Cq82qhUHq7zm6UnnGauCNTffQ0XIa6Oe1Pm0xbac8H3DgYgyPPqJuTiTDpqK9Adh1GOQJ8XTfBpVc/eGjMYeSstcmgVwkf/NyG9wCEvisrQsykfWmBo6BNaf9LRhguKLDaKzq0YWDNa4do= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779136523; c=relaxed/simple; bh=lSB+qk8+V3/bT4vKxa1PCL4etSOHiKuzSJnz90Sg9mU=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Content-Type; b=FJJmX2bTP1gqmX0mRlODRhihTyFqK3bFHDII7jQfWr/fX3vVZQJ+oLGBfqfWHaQ6zJBrEbWdrfGiTW9oyOAtH5G86QQgokRAutdkLZFKXm8O9SetgDHZRG8WaBrlVs51aUHJOUt4zc9LSC6MkuK33BlrNahGShLwhK+On2+QAI0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=mMpEo46L; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=ajByw/zU; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="mMpEo46L"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="ajByw/zU" Received: from pps.filterd (m0279873.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64IHGXQT2083071 for ; Mon, 18 May 2026 20:35:14 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=qcppdkim1; bh=KxpQ8qvZXX/EEKeXODhGQL t+l8ymJHRYKkRNEjmncAs=; b=mMpEo46LtkxbzrVoak3oUpll8mAE807oSGySsS XyQ8PUY/TmAoINrLbvnpyVUWUyJD93tN8llSH+zsy8y81iqhbl6OmLrbUcGyr73E T5xzn2ttnKSMZRxCnbPEq4QG++UuNK90V8tXiF/12QrxkblLyMA8E4TRaTV+8s5g 2EPXIDSqSdYSVRfwuUbQ7ylpHWH1hsZCfBXNlUBprfHrOWVxFRAiO+2TqEjUddFZ ukaFIflzwRrBChx54eadKvbVRcvakRvkMTw2CGN909zJCofpSc/uEOwLJzBqvZig d5lNRLP/fryU3hrWuRfGgQ7C7VTCBafQG9fCK3wmcHc2aWgQ== Received: from mail-pj1-f70.google.com (mail-pj1-f70.google.com [209.85.216.70]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4e81cha6vu-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Mon, 18 May 2026 20:35:14 +0000 (GMT) Received: by mail-pj1-f70.google.com with SMTP id 98e67ed59e1d1-365fd467cf6so2197675a91.0 for ; Mon, 18 May 2026 13:35:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1779136514; x=1779741314; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=KxpQ8qvZXX/EEKeXODhGQLt+l8ymJHRYKkRNEjmncAs=; b=ajByw/zUrKnlrkSxiHPGT+NbGoJh0LgsnJJxyxz3pqmwmPzHpmTMR/YSk+gCPP4X8J oz85WY4zUGvFgHgcqOMoasTQsu4xaA16YqGcCbZ4E06Ux6tTvkMfJeE8FNVV+x5WC/1l z1cv7FSVT9dtYtps9+eUA43qQ+hxGOp4b1q7nlpulN8U0c5TtMq2iVzX2TPrgeLCJ+zM Rp7h3rMrpBJq12FWutpuvuRBwUow35gpNBi6MjZoHL4S5iD0vSbsEHBf0t/CL21FPGZW F9vana5gBr/PRKmGOkg3DzO7B11i1tzVuOQ7qTtIuDwmCaNk+s8cbyMz9HA2ui4/61od 3Cfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779136514; x=1779741314; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=KxpQ8qvZXX/EEKeXODhGQLt+l8ymJHRYKkRNEjmncAs=; b=mhR2qieeFvfyHaoLb0IwqyX2taBnuDqVwdKCUNl/UdEOTwuqdMFXHC5KYTkzgxLY5o XzcS4bal1M3bTh8CCyRm5OikNJDj03CNj5dNis0x4+zANyjBQAjdb4V/7p3ol5H4n9QB iu3aboaOX3gxMjasMwu78omH/3Wi5125DV+YnoqKg8Ifr7oto6iKj5EGw+Gfuf7WqTK3 TYqIFUQcn7SpfSx9BgM9QX8JCsepawSgnvsRkzSZ9r1Gv3XsMxGHSfwjz7cFk5rRG0fW n6n3M3fgUa2R3sMy5GEvcJ8eVn8uCl8Vx1DmSv3oGgVJdzt1WJMPeQK6LiL1Sab0MmMN kNNA== X-Forwarded-Encrypted: i=1; AFNElJ8NHjkIUEMyreaWWTDhc0s7kmur3iEn5LicRn4QMwjrln/QZ4xc3dnr4WdsclWEqerYDPtE/8zuqCGBGCA=@vger.kernel.org X-Gm-Message-State: AOJu0YzbdqnnkkVJN66/xgSIu1gUILiaSsBeuzaKrEFuttK5VcmLeSOF YFYCWr3Vha2JzApg6ugLWITwhIXjfTWQAcjRwwa5JiaaXKQUU+ghW6OGaq067bAu3cPkkxffsvQ gYLbMQaw+4YB67VAFtwgpAuCZYr7fHAGERxXSzlTZMmKLdn8vr9OBWNSu87C2i1aghv8= X-Gm-Gg: Acq92OHn1XT7/qIin52hgzkWsU1vEf33iqajamCxxnRGpFntld0OZimWspEvwHPfOsX 196W7InLRDIsfKVlbGxldda7O/yYWuhXk+z9K78NUjAdkwPtqFfnt1d//A54rqAOh/lEPCoeLmW jRR+3pXZUPxwDyFWxMi19o8DjaybmB/ldsMnkDDSVNU4ZJsFyo+dRwaz+immT1o+wxHG9gAOwx0 L8JMYZZ9IaV2JTkGjQZxb+8fHj5kg0nt+3U9Gg6JaCgsP5ydRqmocfHT0FgkIzZFYRHQ2+00lFp 0QrwzUSqjLl9JzMZdyPmDmh3aF+5IoOn0EGAgOKDNZVc/eoxo2oovJMs9U5/07iFo/6JQDGaJeK L1lVpqxdfu38+etAybpffb1KtlQtKfG34qS7GR5ydPieV X-Received: by 2002:a17:90b:3505:b0:366:aba:4c86 with SMTP id 98e67ed59e1d1-36951dd5abemr16453639a91.27.1779136513488; Mon, 18 May 2026 13:35:13 -0700 (PDT) X-Received: by 2002:a17:90b:3505:b0:366:aba:4c86 with SMTP id 98e67ed59e1d1-36951dd5abemr16453600a91.27.1779136512901; Mon, 18 May 2026 13:35:12 -0700 (PDT) Received: from hu-anane-hyd.qualcomm.com ([202.46.23.25]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2bd5c0600c3sm156725235ad.29.2026.05.18.13.35.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 13:35:12 -0700 (PDT) From: Anandu Krishnan E To: srini@kernel.org, linux-arm-msm@vger.kernel.org Cc: gregkh@linuxfoundation.org, quic_bkumar@quicinc.com, linux-kernel@vger.kernel.org, quic_chennak@quicinc.com, dri-devel@lists.freedesktop.org, arnd@arndb.de, ekansh.gupta@oss.qualcomm.com, stable@kernel.org Subject: [PATCH v4] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context Date: Tue, 19 May 2026 02:05:07 +0530 Message-Id: <20260518203507.3754994-1-anandu.e@oss.qualcomm.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Authority-Analysis: v=2.4 cv=a4MAM0SF c=1 sm=1 tr=0 ts=6a0b7802 cx=c_pps a=0uOsjrqzRL749jD1oC5vDA==:117 a=ZePRamnt/+rB5gQjfz0u9A==:17 a=IkcTkHD0fZMA:10 a=NGcC8JguVDcA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=rJkE3RaqiGZ5pbrm-msn:22 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8 a=-d8OuwpfmgTKOJIC24EA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=mQ_c8vxmzFEMiUWkPHU9:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTE4MDIwNCBTYWx0ZWRfX94A5L0Vt9Cpk ayaiUOTKX6GqR4maNFNjAUXiEYSJFaaZzR437Xy/ns3cjZAKrBV/uWEjad/bsbJhCAV1+wR1EJQ rhwBzT0F9+tVP0j25+5A/Zrr4t0sNUpF3M1kt+eVFILJM1PmF1G8dLUmUIAsrPiTqgw7WIrf/Bp mTJQBzEUKIuQlM/Ce7PavgJxk67xuk89h50ifG3KWhuBPJnPnvJUFaZIaanoZHX92uI9zO+jMqH MJ39KdoehwJ+DH+IM0HZImWf63bsGQr0gtH4p5bN5W1nnlJGf5X9+vzkjnBOPIaN4kSYt8oxFuE XPfq/OcWmEXuboJC2ZZ9GC+LNKSDggXSaPEtS3nHVnH/EMVmcPLwVG9vjg9rIQO6jtjaurSgzYm CzXbGWBeF3SS4ipjci3y4/1aH24r9xqrWfhKLlMX9H6ZbKV9xWSa2EgMx4gPcCtHswRKRMAtwL/ 1Zt9PSSgStm7oneapng== X-Proofpoint-ORIG-GUID: xSdMUx1JP4chyGLpBIJlH-_jo1ZbDNUe X-Proofpoint-GUID: xSdMUx1JP4chyGLpBIJlH-_jo1ZbDNUe X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-18_03,2026-05-18_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 bulkscore=0 adultscore=0 clxscore=1015 priorityscore=1501 impostorscore=0 suspectscore=0 spamscore=0 phishscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605130000 definitions=main-2605180204 There is a race between fastrpc_device_release() and the workqueue that processes DSP responses. When the user closes the file descriptor, fastrpc_device_release() frees the fastrpc_user structure. Concurrently, an in-flight DSP invocation can complete and fastrpc_rpmsg_callback() schedules context cleanup via schedule_work(&ctx->put_work). If the workqueue runs fastrpc_context_free() in parallel with or after fastrpc_device_release() has freed the user structure, it dereferences the freed fastrpc_user. Depending on the state of the context at the time of the race, any one of the following accesses can be hit: 1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...) to strip the SID bits from the stored IOVA before passing the physical address to dma_free_coherent(). 2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to reconstruct the source permission bitmask needed for the qcom_scm_assign_mem() call that returns memory from the DSP VM back to HLOS. 3. fastrpc_free_map() acquires map->fl->lock to safely remove the map node from the fl->maps list. The resulting use-after-free manifests as: pc : fastrpc_buf_free+0x38/0x80 [fastrpc] lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_free+0xa8/0x1b0 [fastrpc] fastrpc_context_put_wq+0x78/0xa0 [fastrpc] process_one_work+0x180/0x450 worker_thread+0x26c/0x388 Add kref-based reference counting to fastrpc_user. Have each invoke context take a reference on the user at allocation time and release it when the context is freed. Release the initial reference in fastrpc_device_release() at file close. Move the teardown of the user structure =E2=80=94 freeing pending contexts, maps, mmaps, and the channel context reference =E2=80=94 into the kref release callback fastrpc_user_fre= e(), so that it runs only when the last reference is dropped, regardless of whether that happens at device close or after the final in-flight context completes. Fixes: 6cffd79504ce ("misc: fastrpc: Add support for dmabuf exporter") Cc: stable@kernel.org Signed-off-by: Anandu Krishnan E --- Changes in v4: - Fixed a blank line issue - Link to v3: https://lore.kernel.org/all/20260428073334.934358-1-anandu.e= @oss.qualcomm.com/ Changes in v3: - Fixed fastrpc_user_put()/fastrpc_channel_ctx_put() call order in fastrpc_context_free() and the err_idr path of fastrpc_context_alloc(); the correct ordering from v1 was accidentally reversed in v2 - Link to v2: https://lore.kernel.org/all/20260427074021.3774769-1-anandu.= e@oss.qualcomm.com/ Changes in v2: - Rewrote commit message to establish the problem first per review feedback; identified all three UAF dereference sites explicitly - Moved resource cleanup (pending contexts, maps, mmaps) into fastrpc_user_free() so teardown is consolidated in the kref release callback - Link to v1: https://lore.kernel.org/all/20260226151121.818852-1-anandu.e= @oss.qualcomm.com/ drivers/misc/fastrpc.c | 75 +++++++++++++++++++++++++++++------------- 1 file changed, 52 insertions(+), 23 deletions(-) diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 1080f9acf70a..48f8262af539 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -310,6 +310,8 @@ struct fastrpc_user { spinlock_t lock; /* lock for allocations */ struct mutex mutex; + /* Reference count */ + struct kref refcount; }; =20 /* Extract SMMU PA from consolidated IOVA */ @@ -497,15 +499,57 @@ static void fastrpc_channel_ctx_put(struct fastrpc_ch= annel_ctx *cctx) kref_put(&cctx->refcount, fastrpc_channel_ctx_free); } =20 +static void fastrpc_context_put(struct fastrpc_invoke_ctx *ctx); + +static void fastrpc_user_free(struct kref *ref) +{ + struct fastrpc_user *fl =3D container_of(ref, struct fastrpc_user, refcou= nt); + struct fastrpc_invoke_ctx *ctx, *n; + struct fastrpc_map *map, *m; + struct fastrpc_buf *buf, *b; + + if (fl->init_mem) + fastrpc_buf_free(fl->init_mem); + + list_for_each_entry_safe(ctx, n, &fl->pending, node) { + list_del(&ctx->node); + fastrpc_context_put(ctx); + } + + list_for_each_entry_safe(map, m, &fl->maps, node) + fastrpc_map_put(map); + + list_for_each_entry_safe(buf, b, &fl->mmaps, node) { + list_del(&buf->node); + fastrpc_buf_free(buf); + } + + fastrpc_channel_ctx_put(fl->cctx); + mutex_destroy(&fl->mutex); + kfree(fl); +} + +static void fastrpc_user_get(struct fastrpc_user *fl) +{ + kref_get(&fl->refcount); +} + +static void fastrpc_user_put(struct fastrpc_user *fl) +{ + kref_put(&fl->refcount, fastrpc_user_free); +} + static void fastrpc_context_free(struct kref *ref) { struct fastrpc_invoke_ctx *ctx; struct fastrpc_channel_ctx *cctx; + struct fastrpc_user *fl; unsigned long flags; int i; =20 ctx =3D container_of(ref, struct fastrpc_invoke_ctx, refcount); cctx =3D ctx->cctx; + fl =3D ctx->fl; =20 for (i =3D 0; i < ctx->nbufs; i++) fastrpc_map_put(ctx->maps[i]); @@ -521,6 +565,8 @@ static void fastrpc_context_free(struct kref *ref) kfree(ctx->olaps); kfree(ctx); =20 + /* Release the reference taken in fastrpc_context_alloc() */ + fastrpc_user_put(fl); fastrpc_channel_ctx_put(cctx); } =20 @@ -628,6 +674,8 @@ static struct fastrpc_invoke_ctx *fastrpc_context_alloc( =20 /* Released in fastrpc_context_put() */ fastrpc_channel_ctx_get(cctx); + /* Take a reference to user, released in fastrpc_context_free() */ + fastrpc_user_get(user); =20 ctx->sc =3D sc; ctx->retval =3D -1; @@ -658,6 +706,7 @@ static struct fastrpc_invoke_ctx *fastrpc_context_alloc( spin_lock(&user->lock); list_del(&ctx->node); spin_unlock(&user->lock); + fastrpc_user_put(user); fastrpc_channel_ctx_put(cctx); kfree(ctx->maps); kfree(ctx->olaps); @@ -1579,9 +1628,6 @@ static int fastrpc_device_release(struct inode *inode= , struct file *file) { struct fastrpc_user *fl =3D (struct fastrpc_user *)file->private_data; struct fastrpc_channel_ctx *cctx =3D fl->cctx; - struct fastrpc_invoke_ctx *ctx, *n; - struct fastrpc_map *map, *m; - struct fastrpc_buf *buf, *b; unsigned long flags; =20 fastrpc_release_current_dsp_process(fl); @@ -1590,28 +1636,10 @@ static int fastrpc_device_release(struct inode *ino= de, struct file *file) list_del(&fl->user); spin_unlock_irqrestore(&cctx->lock, flags); =20 - if (fl->init_mem) - fastrpc_buf_free(fl->init_mem); - - list_for_each_entry_safe(ctx, n, &fl->pending, node) { - list_del(&ctx->node); - fastrpc_context_put(ctx); - } - - list_for_each_entry_safe(map, m, &fl->maps, node) - fastrpc_map_put(map); - - list_for_each_entry_safe(buf, b, &fl->mmaps, node) { - list_del(&buf->node); - fastrpc_buf_free(buf); - } - fastrpc_session_free(cctx, fl->sctx); - fastrpc_channel_ctx_put(cctx); - - mutex_destroy(&fl->mutex); - kfree(fl); file->private_data =3D NULL; + /* Release the reference taken in fastrpc_device_open */ + fastrpc_user_put(fl); =20 return 0; } @@ -1655,6 +1683,7 @@ static int fastrpc_device_open(struct inode *inode, s= truct file *filp) spin_lock_irqsave(&cctx->lock, flags); list_add_tail(&fl->user, &cctx->users); spin_unlock_irqrestore(&cctx->lock, flags); + kref_init(&fl->refcount); =20 return 0; } --=20 2.34.1